Re: Wicket 8: Content-Security-Policy header

Wed, 25 Nov 2020 01:08:11 -0800 

On 2020/11/24 15:49:58, Francesco Chicchiricc�� <ilgro...@apache.org> wrote: 
> Hi,
> in a Wicket 8.8.0 application, I am following what suggested in
> 
> https://ci.apache.org/projects/wicket/guide/8.x/single.html#_external_security_checks
> 
> to add Content-Security-Policy header into response.
> 
> My application extends AuthenticatedWebApplication so, when accessing the 
> root page, I receive an HTTP 302 redirect to
> 
> /login;jsessionid=<something>
> 
> which is expected.
> 
> Unfortunately, as far as I can tell, the Content-Security-Policy header is 
> included in the initial request to the root page but missing when I am 
> getting the login page, following the redirect.

Further information: with -Dwicket.configuration=deployment

GET / returns

HTTP/1.1 302 
Set-Cookie: JSESSIONID=31A285C6E9F7B7F238F58B7DFC3DBD2B; Path=/syncope-console; 
Secure; HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src https:
X-Content-Type-Options: nosniff
Date: Wed, 25 Nov 2020 09:04:18 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store
Location: ./login;jsessionid=31A285C6E9F7B7F238F58B7DFC3DBD2B
Content-Length: 0

GET ./login;jsessionid=31A285C6E9F7B7F238F58B7DFC3DBD2B returns

HTTP/1.1 302 
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src https:
X-Content-Type-Options: nosniff
Date: Wed, 25 Nov 2020 09:05:22 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store
Location: ./login;jsessionid=31A285C6E9F7B7F238F58B7DFC3DBD2B?1
Content-Length: 0

and finally GET ./login;jsessionid=31A285C6E9F7B7F238F58B7DFC3DBD2B?1 returns

HTTP/1.1 200 
Date: Wed, 25 Nov 2020 09:06:14 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked

<!DOCTYPE html>
<!-- content stripped -->

I am observing that with -Dwicket.configuration=development even the last GET 
returns the expected headers.

Regards.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Reply via email to